How are you addressing ransomware at your organization?

4.1k views12 Comments

Chief Security Officer, VP of Info Svc, Analytics and Cloud Infra & Operations in Software, 201 - 500 employees
I’m not doing anything to specifically address ransomware yet. I'm addressing all of the causal factors that I perceive as reasons that I might be infected by ransomware. At the end of the day ransomware is the end state. Something bad—probably many bad things—had to happen first: either you didn't patch or somebody clicked on a phishing email. More people need to look at the earlier states. What are you doing about phishing and patching?
Senior Director, Technology Solutions and Analytics in Telecommunication, 51 - 200 employees
We are communicating on all business levels that ransomware is a big deal and dollars need to be spent to reduce our risk. From an operations perspective, we ensure we backup multiple times per day and the backups are tested weekly. It is not if ransomware will hit our organization. It is when.
Head of Business Technology in Software, 201 - 500 employees
The first question is, do we have preventive measures in place to protect our infrastructure and not be attacked?. If we are attacked, how do we do microsegmentation and protect other things. Endpoint Managed Detection and Response (EMDR) and Security Information Management (SIM) are solutions which can resolve that. But we don't have a single solution, a single pane of glass. It's all out in so many tools and technologies. How do we handle that?
2 3 Replies
Chief Security Officer, VP of Info Svc, Analytics and Cloud Infra & Operations in Software, 201 - 500 employees

I think everybody has to give up on the single pane of glass. I've been wanting that for 20 years, and it's a myth. It's never going to happen.

Head of Business Technology in Software, 201 - 500 employees

It's a myth.

CISO in Software, 51 - 200 employees

We were trying to do that at Armis. So when I was at Armis, we basically API-ed and integrated with every security product out there, so we'd be pulling data from every single security product you already have into our tool so that you could use it as an investigation platform, you could see exactly where the alerts were coming from. It was pretty interesting how they did it.

President and Chief Pilot, Self-employed
I've used Security Information Management (SIM) to track down what I've been doing and things that are attacking it. That's why I started air gapping some of this, because the SIMs were showing where people were trying to get in and there were constant bots hitting things along those lines. I couldn't find a single pane of glass solution, it didn't exist. All I found were more panes of glass claiming they could do the same thing, so that's why I actually did that. The SIM actually was again very helpful, because it would notify me or my staff or whatever group it was. We had notifications cm off of that, and we could start investigating it.
Head of Security in Software, 501 - 1,000 employees
When we were more on-premise, there was a configuration management database (CMDB) that was like a one-stop shop for inventory management. But now that we have cloud, the lifespan of what you would define as an asset is very small. Event management tools like security information management (SIM) will throw out alerts and then you need to consolidate that event into an incident. That incident could be ransomware, a data breach or an impersonation.

While there’s no one-size-fits-all approach to this, but I would like to think you could have 1 incident management policy with individual incident management procedures. Depending on the type of incident, your CART team is going to change. If it is a data breach, there's more involvement with legal, marketing and communications teams. If it is ransomware, it's heavier on your IT and tech operations teams—of course there is still an element involving legal and cyber insurance, etc. Now that US laws have been able to stricten around that, there’s also a law enforcement component to it. You would have multiple specific incident response procedures governed by the same policy and the same training that you launch across the organization.
CIO in Education, 1,001 - 5,000 employees
Nutanix Mine/Xi Leap and Veeam for immutable server backups. Code 42 for immutable endpoint backups.
Director of IT in Software, 201 - 500 employees
Backup everything, test backup every night, replicate to DR site, test DR site periodically, NGFW, SIEM, each department on a separate vlan with firewall in-between, AV+EDR, security awareness training for employees, regular external and internal pen tests. So far so good :)
Director of Technology in Government, 501 - 1,000 employees
As long as money is to be made from ransomware attacks, all you can do is reduce your risk and liability by purchasing the right security tools, conducting vulnerability management, implementing a zero trust architecture, and educating your employee's. There is no silver bullet for ransomware but you can do your best to reduce your attack surface.
VP of IT, Self-employed
There are 3 things that I had done in my previous organization.
1, invest and automate the basic security programs of patching, setting recovery priorities and acceptable limits, backing up, testing recoveries, and incident response
2. invest and establish visibility of security posture of the enterprise by using micro segmentation, going inside out and by integrating security incidents and event assessments into incident response playbooks and runbooks
3. invest, train and exercise the ability top leadership on how to handle a ransomware induced business crisis by preparing payment systems, using insurance, forensic analysts and negotiators when needed to ensure business continuity

Content you might like

Director of Systems Operations in Healthcare and Biotech, 10,001+ employees
By far the best place for me to travel was Shanghai. Loved the city and the vibe. Singapore is also an amazing place to have to be stationed for work.
Read More Comments
3.9k views4 Upvotes3 Comments

SANS Cyber Security Leadership NOVA10%

ENISA Cybersecurity Standardisation Conference 202343%

Gartner Security & Risk Management Summit13%

SANS Cyber Security East (Feb edition)3%





No, but I plan to36%

No, and I do not plan to10%


2k views2 Comments